Isabelle Falque-Pierrotin, chair of the CNIL (French Data Protection Authority), discusses the goals of the GDPR at “10 Days Before GDPR” at RightsCon Toronto on May 17, 2018.

“Alexa, turn off the lights. Read me a bedtime story…”

This innocuous command may someday be used to determine the insurance eligibility of the user. Research has shown that children who stay up late have behavioral and academic problems. User data, combined with other identifiable data about bedtimes and sleep habits could be used in scenario modeling or algorithms that determine health insurance or risk for other financial and employment-enabled uses.

The mash up of big data makes these scenarios highly possible.

It’s this secondary use of your private data that the new General Data Protection Regulation seeks to protect. In a nutshell, GDPR protects consumer data collected by the private sector and gives users authority to control further uses. The regulation emanates from the European Union to provide protections for its various member states’ citizens. However, the GDPR affects companies collecting data from international users – including media companies and social media platforms like Facebook, Instagram and Twitter.

New general data protection regulations can enforce penalties on companies that do not secure user data against disclosure, loss or theft. Clear consent must be provided and a verified trail of proof of security.

Facebook and Twitter have recently released new privacy guidelines, in advance of the GDPR that takes effect on Friday, May 25. You may have noticed the updates to privacy terms on platforms like Hootsuite or MailChimp.

Twitter privacy update image with bullet points on what is protected.

Dr. Ann Cavoukian is a three-term privacy commissioner of Ontario and a distinguished expert-in-residence leading the Privacy by Design Centre of Excellence at Ryerson University. Cavoukian developed the privacy by design framework that is the basis of the GDPR regulations.

“Privacy is not about secrecy…it’s about control and the uses of data that the user has consented to. GDPR shifts from model of negative consent –to find the opt-out box for data collection,” Cavoukian said. “But it doesn’t mean people don’t want privacy. With GDPR, it’s privacy by default, it’s the exact opposite…companies cannot use your data except for the original intended purpose.”

On May 17, Cavoukian spoke at RightsCon in Toronto on the panel “10 Days Before GDPR” to discuss implications of the new EU policies. She was joined on the panel by Isabelle Falque-Pierrotin, chair of the CNIL-French Data Protection Authority; Joe McNamee, executive director of European Digital Rights and Jeremy Rollison, vice chair of Microsoft’s digital economy committee. Estelle Masse, senior policy analyst with Access Now moderated the panel.

Rollison said in the digital age data is fertile. “It gets together with other data and makes babies. Beware the baby data,” he said.

Cavoukian said in the days of ubiquitous computing through the Internet of Things, the cases coming to her center were a fraction of what was actually happening…the majority were evading our detection.”

Recent examples of data breaches and data use that compromised users include Edward Snowden and the leak of classified government surveillance programs, Facebook and Cambridge Analytica’s use of user data, the breach of Equifax credit reporting and Anthem Insurance data.

“Privacy control has enormous societal value, “ said Cavoukian. “You cannot have freedom without it.”

2) “A private sector understanding of the provisions of GDPR to make sure the guidelines are understood by all;” and,

3) “New way of cooperation will work through the data protection authorities to enforce the guidelines.”

What is new in the process is the data protection authority network from which civil society may seek redress for violations of the GDPR. It is an operational network to receive complaints and make common decisions. Early rulings from the data protection authorities will clarify compliance and consequences spelled out, like interpretations of “legitimate interest,” the legal language in the regulation that defines the primary use of data.

The GDPR is a hybridization of EU concepts and privacy principles borrowed from other countries: privacy by design principles are adopted from Canada and accountability principles have been adopted from the U.S. Even though Canada and the United States have not signed on to the GDPR, efforts are being made to extend these principles globally. The campaign #GDPRFORALL is advocating for these privacy protections to be available all over the world.

Rollison asks whether the rest of the world is prepared to NOT have a GDPR-type policy in place.

“One half of U.S. households refrained from using certain apps or services for fear of privacy issues…there’s a chill on discourse because of privacy and security fears,” Rollison said. “Is the U.S. prepared NOT to have laws in place?” he asks.